AI scammers, holographic PMs and losing the race to the research pole

We live in interesting times.

If a royal wedding watched by half the planet or the pending implementation of an EU privacy regulation doesn’t float your boat – 5 days to GDPR! – tomorrow New Zealand’s Prime Minister will address the crowds at Techweek in holographic form. Likely so she can keep up with work commitments and be in two places at once and who wouldn’t benefit from cloning themselves to stay on top of email.

“Help me NZ techies, you’re my only hope….”

Meanwhile the boffins at Google have taken decades of research into AI and computer speech synthesis and produced an autonomous assistant in the form of ‘Duplex’ that can book a hair appointment for you and sound uncannily real in the process. Parody makers start your engines…

The pilot survey requested basic demographics and used 62 questions from 3 psychometric scales to measure computer use, health and lifestyle factors and how they may shape risk appetite and risk perception:

Can we prove that a low score is predictive of being pre-disposed to socio-technical internet attacks?

The high-level concept being to generate a ‘Security Quotient’ score and to see if it’s possible to test for high-risk human behaviour and mitigate it through additional security controls or by educating people in a targeted manner to mitigate those risks.

Could personality profiling be used for more than just targeted advertising remarketing on search engines and social media? What if you could understand and quantify the nature of the people risk in your organisation as you can the technology risk?

Results from the pilot showed a distribution of scores from 28 valid responses with one anonymous respondent identified as very/high risk on two of the three scales:

To those attending, I summarised the next steps:

A larger survey dataset is necessary to validate the ‘average individual score’ concept of 60%.

Submissions by victims of cybercrime are required to validate the predictive ability of any such Security Quotient score.

Nationality should be captured in the full survey for evaluation of cultural ‘Individualism’ being a protective factor

2018 project delays

A mix of family commitments and a new role working in Deloitte’s cyber team has pushed back the final survey by three months. The race is now on to complete this second stage and write up the findings.

Whilst this initially left me feeling like Robert Scott beaten to the South Pole by Roald Amundsen (but without the cold and suffering), my reading of their work suggests the Security Quotient concept is still valid.

Dr David Modic’s team developed the StP-II scale with an initial 138 items based on significant research into scam compliance. They had used the 12-item Consideration of Future Consequences Scale and confirmed that self-control is an important predictor of various behaviours including victimisation. Lack of premeditation – thinking before you act – is a significant predictor of scam compliance. They also made use of the full DOSPERT-R scale (as opposed to just the recreational risk elements highlighted by Elie Bursztein’s 2016 research into USB drops) to evaluate individual risk preferences.

Read the full research and you find the eventual StP-II scale drops to 54 core items to measure susceptibility to persuasion. The best part is the test is now online so give it a go and see how your personality stacks up.

But please be sure to take the updated Security Quotient survey once the final tweaks have been made, hopefully later this month, I don’t want to suffer the fate of Antarctic explorers…